summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/gssapi/krb5/acquire_cred.c')
-rw-r--r--source4/heimdal/lib/gssapi/krb5/acquire_cred.c153
1 files changed, 101 insertions, 52 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
index d0042e874b..0f1f5f81cf 100644
--- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
@@ -46,7 +46,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
-
+
realm = krb5_principal_get_realm(context, principal);
if (realm == NULL) {
_gsskrb5_clear_status ();
@@ -81,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
{
- char kt_name[256];
krb5_error_code kret;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (_gsskrb5_keytab != NULL) {
- kret = krb5_kt_get_name(context,
- _gsskrb5_keytab,
- kt_name, sizeof(kt_name));
- if (kret == 0)
- kret = krb5_kt_resolve(context, kt_name, keytab);
+ char *name = NULL;
+
+ kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
+ if (kret == 0) {
+ kret = krb5_kt_resolve(context, name, keytab);
+ krb5_xfree(name);
+ }
} else
kret = krb5_kt_default(context, keytab);
@@ -103,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
+ gss_const_OID credential_type,
+ const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
+ gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
- gsskrb5_cred handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
+ gsskrb5_cred handle
)
{
OM_uint32 ret;
@@ -132,6 +133,12 @@ static OM_uint32 acquire_initiator_cred
* errors while searching.
*/
+ if (credential_type != GSS_C_NO_OID &&
+ !gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+ kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
+ goto end;
+ }
+
if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
@@ -174,14 +181,29 @@ static OM_uint32 acquire_initiator_cred
if (kret)
goto end;
}
- kret = get_keytab(context, &keytab);
- if (kret)
- goto end;
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
- kret = krb5_get_init_creds_keytab(context, &cred,
- handle->principal, keytab, 0, NULL, opt);
+ if (credential_type != GSS_C_NO_OID &&
+ gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+ gss_buffer_t password = (gss_buffer_t)credential_data;
+
+ /* XXX are we requiring password to be NUL terminated? */
+
+ kret = krb5_get_init_creds_password(context, &cred,
+ handle->principal,
+ password->value,
+ NULL, NULL, 0, NULL, opt);
+ } else {
+ kret = get_keytab(context, &keytab);
+ if (kret) {
+ krb5_get_init_creds_opt_free(context, opt);
+ goto end;
+ }
+ kret = krb5_get_init_creds_keytab(context, &cred,
+ handle->principal, keytab,
+ 0, NULL, opt);
+ }
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
@@ -233,19 +255,25 @@ end:
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
+ gss_const_OID credential_type,
+ const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
+ gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
- gsskrb5_cred handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
+ gsskrb5_cred handle
)
{
OM_uint32 ret;
krb5_error_code kret;
ret = GSS_S_FAILURE;
+
+ if (credential_type != GSS_C_NO_OID) {
+ kret = EINVAL;
+ goto end;
+ }
+
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
@@ -299,23 +327,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
OM_uint32 * time_rec
)
{
- krb5_context context;
- gsskrb5_cred handle;
OM_uint32 ret;
- if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
- *minor_status = GSS_KRB5_S_G_BAD_USAGE;
- return GSS_S_FAILURE;
- }
-
- GSSAPI_KRB5_INIT(&context);
-
- *output_cred_handle = NULL;
- if (time_rec)
- *time_rec = 0;
- if (actual_mechs)
- *actual_mechs = GSS_C_NO_OID_SET;
-
if (desired_mechs) {
int present = 0;
@@ -329,6 +342,54 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
}
+ ret = _gsskrb5_acquire_cred_ext(minor_status,
+ desired_name,
+ GSS_C_NO_OID,
+ NULL,
+ time_req,
+ GSS_KRB5_MECHANISM,
+ cred_usage,
+ output_cred_handle);
+ if (ret)
+ return ret;
+
+
+ ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle,
+ NULL, time_rec, NULL, actual_mechs);
+ if (ret) {
+ OM_uint32 tmp;
+ _gsskrb5_release_cred(&tmp, output_cred_handle);
+ }
+
+ return ret;
+}
+
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
+(OM_uint32 * minor_status,
+ const gss_name_t desired_name,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t * output_cred_handle
+ )
+{
+ krb5_context context;
+ gsskrb5_cred handle;
+ OM_uint32 ret;
+
+ cred_usage &= GSS_C_OPTION_MASK;
+
+ if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
+ *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+ return GSS_S_FAILURE;
+ }
+
+ GSSAPI_KRB5_INIT(&context);
+
+ *output_cred_handle = NULL;
+
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
*minor_status = ENOMEM;
@@ -338,7 +399,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
-
ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
desired_name, &handle->principal);
if (ret) {
@@ -349,9 +409,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, context,
+ credential_type, credential_data,
desired_name, time_req,
- desired_mechs, cred_usage, handle,
- actual_mechs, time_rec);
+ desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@@ -361,8 +421,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, context,
+ credential_type, credential_data,
desired_name, time_req,
- desired_mechs, cred_usage, handle, actual_mechs, time_rec);
+ desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@@ -374,9 +435,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
- if (ret == GSS_S_COMPLETE)
- ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
- NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
gss_release_oid_set(NULL, &handle->mechanisms);
@@ -385,17 +443,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
free(handle);
return (ret);
}
- *minor_status = 0;
- if (time_rec) {
- ret = _gsskrb5_lifetime_left(minor_status,
- context,
- handle->lifetime,
- time_rec);
-
- if (ret)
- return ret;
- }
handle->usage = cred_usage;
+ *minor_status = 0;
*output_cred_handle = (gss_cred_id_t)handle;
return (GSS_S_COMPLETE);
}
generated by cgit (git 2.34.1) at 2024-05-20 20:12:38 +0000